Description
In elliptic-based version, loadUncompressedPublicKey has a check that the public key is on the curve: https://github.com/cryptocoinjs/secp256k1-node/blob/6d3474b81d073cc9c8cc8cfadb580c84f8df5248/lib/elliptic.js#L37-L39
loadCompressedPublicKey is, however, missing that check: https://github.
Recommendation
Update the secp256k1 package to the latest compatible version. Followings are version details:
Affected version(s): **<= 3.8.0 >= 4.0.0, < 4.0.4 = 5.0.0** Patched version(s): **3.8.1 4.0.4 5.0.1**
References
Related Issues
- tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled envir - CVE-2024-49364
- Strapi Allows Unauthorized Access to Private Fields via parms.lookup - CVE-2024-56143
- tiny-secp256k1 allows for verify() bypass when running in bundled environment - CVE-2024-49365
- Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134
- Tags:
- npm
- secp256k1
Anything's wrong? Let us know Last updated on October 21, 2024